DoD Safeguarding & NIST SP 800-171 Β· NIST SP 800-171 / DFARS 252.204-7012

NIST SP 800-171 Security Requirements (SSP & POA&M)

Also known as: 800-171, NIST 800-171, CUI security requirements

What you do here: Implement the NIST SP 800-171 controls, document them in an SSP, and track gaps in a POA&M

At a Glance

Who it applies to
Contractors whose systems handle CUI / Covered Defense Information β€” required by DFARS 7012 and CMMC Level 2
What it obligates
Implement the SP 800-171 security requirements (110 in Rev. 2, reorganized in Rev. 3) across 14 families
Governing authority
NIST Special Publication 800-171, incorporated by DFARS 252.204-7012
Key documents
System Security Plan (SSP) describing implementation, and a Plan of Action & Milestones (POA&M) for gaps
The stakes
It's the technical backbone of DoD cybersecurity β€” CMMC assessments and SPRS scores measure it directly

What It Is

NIST Special Publication 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,' is the technical security standard at the heart of federal (especially DoD) cybersecurity for contractors. It sets out the security requirements a non-federal organization must meet to protect CUI on its own systems. Revision 2 organizes 110 security requirements into 14 families β€” access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. (NIST published Revision 3 in 2024, which restructures and updates the requirements; contracts specify which revision applies.) Two documents operationalize it. The System Security Plan (SSP) describes how you have implemented each requirement β€” the boundary of your system, the controls in place, and how they work. The Plan of Action & Milestones (POA&M) lists any requirement not yet fully met, with a plan and date to close the gap. NIST SP 800-171 is not itself a clause; it becomes binding because DFARS 252.204-7012 requires contractors handling Covered Defense Information to implement it, DFARS 252.204-7019/7020 require you to self-assess against it and post a score to SPRS, and CMMC Level 2 requires a third party to assess it. In plain terms: 800-171 is the checklist, the SSP is your proof you did it, and the POA&M is your honest list of what's left.

When It Applies

  • Whenever a DoD contract involves Covered Defense Information β€” DFARS 252.204-7012 requires SP 800-171 implementation.
  • When you compute and post a NIST SP 800-171 DoD Assessment score to SPRS (DFARS 7019/7020).
  • When you undergo a CMMC Level 2 assessment, which is based on the SP 800-171 requirements.
  • Increasingly on non-DoD contracts as agencies adopt SP 800-171 for CUI under the emerging governmentwide FAR rule.

Key Features

FeatureWhat It Means
110 requirements across 14 families (Rev. 2)A comprehensive control set spanning access, authentication, audit, configuration, incident response, media, physical, and system integrity β€” reorganized in Revision 3.
System Security Plan (SSP)The document describing your system boundary and how each requirement is implemented β€” the government's and an assessor's starting point.
Plan of Action & Milestones (POA&M)The honest list of requirements not yet met, each with a remediation plan and target date; scored negatively until closed.
Not a clause by itselfIt becomes binding through DFARS 7012 (implement), 7019/7020 (self-assess and post to SPRS), and CMMC Level 2 (third-party assess).
Revision mattersContracts specify Rev. 2 or Rev. 3; the revision changes the control count and structure, so confirm which one your contract requires.

The SDVOSB Angle

NIST SP 800-171 is where the real cost of DoD cybersecurity lands on a small SDVOSB, and where honesty pays. The self-assessment (posted to SPRS) uses a scoring methodology that starts at 110 and subtracts weighted points for each unmet requirement β€” so a firm early in its journey can post a low or negative score, which is legal as long as it's accurate and paired with a POA&M. The danger is inflating the score to look award-ready: because DFARS 7019/7020 make the score a representation and CMMC will bring a third-party assessor to check it, an overstated SSP is a documented False Claims Act exposure that has already produced settlements against contractors. Build a genuine SSP scoped to only the systems that actually touch CUI (shrinking the boundary shrinks the cost), track gaps in a real POA&M, and treat 800-171 maturity as a competitive discriminator β€” many small competitors can't show a credible score. Price the assessment and remediation into your bid using the Price-to-Win build-up.

How to Comply

  1. Confirm which revision (Rev. 2 or Rev. 3) your contract requires and scope the system boundary that handles CUI.
  2. Assess your implementation of each SP 800-171 requirement and write a genuine System Security Plan (SSP).
  3. Record every unmet requirement in a Plan of Action & Milestones (POA&M) with a realistic remediation date.
  4. Compute the NIST 800-171 DoD Assessment score accurately and keep the evidence behind it.
  5. Remediate high-value gaps first (they carry the most points) and keep the SSP current as your systems change.

Watch Out For

  • Overstating the SSP or the SPRS score β€” it's a representation with real False Claims Act exposure.
  • Scoping the whole company into the boundary when only a few systems touch CUI, multiplying the cost.
  • Confusing Rev. 2 and Rev. 3 requirements β€” implement the revision your contract actually names.
  • Treating the POA&M as permanent β€” open items lower your score and, under CMMC, are time-limited.

Run the Numbers

Price-to-Win Calculator β†’

Frequently Asked

What is NIST SP 800-171?

NIST Special Publication 800-171 is the technical standard for protecting Controlled Unclassified Information (CUI) on non-federal (contractor) information systems. Revision 2 defines 110 security requirements across 14 families; Revision 3, published in 2024, restructures and updates them. It is required by DFARS 252.204-7012 for DoD contractors handling Covered Defense Information, forms the basis of CMMC Level 2, and is documented through a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M).

What is a System Security Plan (SSP) and a POA&M?

A System Security Plan (SSP) is the document that describes your information system's boundary and how you have implemented each NIST SP 800-171 requirement β€” it is the evidence that you meet the standard. A Plan of Action & Milestones (POA&M) is the companion document listing every requirement you have not yet fully met, with a plan and target date to close each gap. Together they are required by DFARS 252.204-7012, and they are the starting point for a DoD assessment or a CMMC evaluation.

How is the NIST 800-171 SPRS score calculated?

The DoD Assessment Methodology starts a contractor at 110 points (perfect implementation of all Revision 2 requirements) and subtracts a weighted value β€” 1, 3, or 5 points β€” for each requirement not fully implemented, based on its security impact. The resulting score (which can be negative) is posted to the Supplier Performance Risk System (SPRS) under DFARS 252.204-7019/7020. A lower score paired with an accurate SSP and POA&M is acceptable; an inflated score is a false representation, so the score must reflect your actual posture.

Primary Sources

Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β€” the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.

Last updated Update cadence: Quarterly, plus on FAR/DFARS amendment, a new NIST SP 800-171 revision, or CMMC phase-in changes
Change log (1)
  1. LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β€” basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β€” each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.

Related Safeguarding Requirements

Systems You’ll Use

SPRS — Supplier Performance Risk System→

Clauses That Apply

FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems→

How It Plays by Contract Type

FFP β€” Firm-Fixed-Price (FFP)β†’
CPFF β€” Cost-Plus-Fixed-Fee (CPFF)β†’

Forms You’ll Use

SF 1408 — Preaward Survey of Prospective Contractor — Accounting System→

Terms Used on This Page

FARDCAA

In the FAQ Knowledge Base

What VA IT contracts are available to SDVOSBs?β†’
← All Cybersecurity & Information Safeguarding Requirements